hS: Although its peculiar that it can work in reverse – there's the example of the stunt of standing on London Bridge with a tray full of genuine gold guineas and offering them to passers by for a £1 and no one would take them. And of course the problem today is that we all have so many accounts that require passwords for security and are probably adding a new account every day for one website or another.
MB: So taking passwords its actually a good example, where the advice is quite straight forward and its exactly what you alluded to – in the early 2000's I was the president of Liberty Alliance, which is an open standards consortium focussed on identity management standards and guidelines and at that point in 2001 – 2002, if you talked to the average consumer and said how many I.D.s do you have on the internet? they would probably say, “Oh I don't know 5 or 6 why do you ask”. At this point if you ask them the same question they go, “I've got thirty plus of the bloody things help me fix this problem” and are reaching across the table to try and strangle you and I can't say I blame them. But I think part of the problem is peoples response is, either they try and use a separate password for absolutely everything, and they've been told they shouldn't write them down, so they try and remember them and then they get in trouble because they forget them. Or they just say 'to hell with this' and use the same password for everything.
Now the way I describe it is this, the password is the key to your account, now in the real world if you just had one key and it was the key to your car, your house, your office, your gym locker, your safety deposit box in the bank and so on, well OK life would be convenient until such time as you lost that key and then - boy you'd be in big trouble when you had to run around trying to sort things out. It's exactly the same model on the internet and so generally what I recommend is that consumers use no more than four passwords, so they do a bit of sharing across accounts, but they bucket them by levels of risk, essentially.
So the first one (bucket) would be e-banking, so if you have an account with HSBC, you have an account with Lloyds and so on, that those passwords should be very strong and you should feel free to share those across top tier companies like that, because those companies have all got folks like me who are dead paranoid and lock their systems down. So you are very unlikely to get breached in any of those environments.
The second risk category is your e-mail account. Use a password for your email account that is different, do not share that with anything else. The reason for that is because, in many cases, if you've got secure access to your email account you can recover access to many other types of accounts, not all of them, but frequently that's the case (by requesting password reminders and so on).
Then the third bucket is the tier one, or marquee e-commerce sites, like eBay, Amazon and so on, the tier one sites that you go to a lot and your going to be using multiple times a year, again they have pretty decent security so you're pretty safe and because you don't tend to have dozens of those you're fairly safe having one password for those.
Now the forth category is what I describe as the great unwashed masses, you go there, you have to set up an account, you're probably not going back, so if somebody breaches those, well they have discovered you have bought something obscure, but they haven't really found out anything very useful.
So by just following those guidelines you make your life a whole lot safer and easier for you. Now the other thing is to pick a good password and that turns out to be quite hard, because people think oh I'll use the name of Fluffy my cat, well actually Fluffy might not be in the OED, but the bad guys have got their own dictionaries of the top 200,000 favourite passwords and Fluffy is probably one of them. The amazing thing is that, if you don't prevent it on your site, 30 per cent of people will pick the word – Password, as their password. So my advice on this is take two unrelated words that you can remember, don't capitalised the first letter, make say the fourth letter capitalised, but use the same letter position across the four categories of password I mentioned earlier and then shove a numeric in somewhere. You should be able to remember four strange word combinations like that fairly effectively, so there are ways around picking secure passwords, that aren't too difficult to remember. The other piece of advice is that it actually is OK to write these down, as long as you are careful where you put the piece of paper.
For example if you write them on a post-it and stick it on the side of your monitor that's not such a good idea, but if you put it inside a pocket in your wallet that's much more secure, because most people take very good care of their wallets. The other thing to do is only write down the passwords, don't write down any of the accounts which they are for. You'll just have a list of four strange word combinations and you will know which password you use for each account, but to anyone else they won't mean very much. So in fact writing them down, as long as you are sensible about it, isn't so daft but I think that to-date, the information security industry hasn't done the public any favours, because we've been banging it into their heads for so long that they should never write their passwords down.
hS: Yes, of course the problem for some people is that if you started off when you only needed passwords for a handful of things, you only had a few, but over the years that password list has grown and grown, so to rationalise their passwords in the way you suggest would entail going through perhaps several hundred accounts to change them all. The other problem is that there are accounts where you don't have a direct personal choice of what the password is.
MB: Yes that's true and there are certain sites I have been using for a very long time, but don't visit all that often and having to think back to things that were memorable when you started, like street names and so on, can be difficult when, for example, you may have moved away from that location many years ago.
hS: The problem is compounded by the idea of having to retire passwords after a certain period of time, as is often enforced in corporate environments and gradually getting confused over which password is current.
I can't but think that someone is going to come up with a new approach, some genius solution to the password problem.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
